From docker run to Compose: What Each Flag Really Means
From docker run to Compose: What Each Flag Really Means
A technical guide to translating docker run commands into Compose services while preserving ports, volumes, environment variables, restart rules, and secrets.
Original workflow visual
From docker run to Compose: What Each Flag Really Means
Read flags
Review before moving forward
Map service
Review before moving forward
Validate config
Review before moving forward
The image name tells Docker what filesystem and default command to start from. It does not explain how the container should connect to the host, where data should persist, which environment variables are required, or what happens after a restart. Compose makes these decisions visible. A good service block should be readable enough that another person can tell what the container needs and what it exposes.
A docker run flag such as -p 8080:80 maps host port 8080 to container port 80. Reversing that meaning is a common mistake. Compose expresses the same relationship under ports. Before copying a mapping, ask which port users or reverse proxies connect to and which port the application listens on inside the container. Avoid exposing ports publicly unless the service actually needs direct access.
Containers are disposable by design. Volumes and bind mounts decide which data survives recreation. A bind mount points at a host path; a named volume is managed by Docker. When translating from run to Compose, preserve the difference. Mounting the wrong host directory can hide files inside the image or write data somewhere unexpected. For databases and uploaded files, volume review is more important than syntax.
The -e flag is convenient, but copied commands often include passwords, tokens, or connection strings. Compose can move configuration into environment sections or env files, but that does not automatically make secrets safe. Do not commit real secrets to the repository. Use the project's existing secret handling, deployment environment, or secret manager. If you publish examples, use clear placeholders instead of realistic credentials.
A one-off docker run command may exit and stay stopped. A service often needs a restart policy. Compose lets you document whether a container should restart unless stopped, always restart, or remain manual. This is an operational decision, not a formatting detail. A crash-looping container with an aggressive restart policy can hide errors or create noise. Pair restart rules with logs and health checks when the service matters.
Some docker run flags translate directly. Others require Compose-specific keys, a different structure, or manual review. Interactive flags, device access, network modes, capabilities, user IDs, DNS settings, and platform constraints can carry security implications. A converter can produce a draft, but advanced flags should be reviewed against Docker and Compose documentation before production use.
Start from a representative command with image, ports, volumes, environment variables, and restart behavior. Convert it into a service. Rename the service and volumes clearly. Remove secrets. Run a configuration validation command. Start locally if safe, inspect logs, and confirm the app writes data where expected. Then commit the Compose file with comments for any non-obvious flag. The goal is maintainable operations, not just a prettier command.
Common Questions
No. Many common flags map cleanly, but networking, devices, security options, and interactive behavior need manual review.
Real secrets should not be committed. Use environment injection, secret managers, or the project's existing deployment mechanism.
Compose documents ports, volumes, environment, restart policy, and service identity in a repeatable file.
Run a Compose config validation, then review the resolved service. Confirm the image, command, ports, volumes, environment variables, user, restart policy, and network match the original intention. If the command was copied from a README, check whether the defaults are appropriate for your host instead of preserving them blindly.
Check the host path, container path, read-only flag, ownership, backup expectations, and whether the mount hides files from the image. A wrong bind mount can make an application appear empty, write data outside the intended directory, or expose host files that the container should not see.
Fixed container names can collide when multiple stacks run on the same host or when developers start copies locally. Service names and project names usually provide enough identity while allowing Compose to manage unique container names for each stack.
Comment non-obvious ports, host paths, privileges, and restart choices. Do not comment secrets or temporary debugging values.